Wednesday News: The Adobe Digital WTF Edition
Adobe’s e-book reader sends your reading logs back to Adobe—in plain text [Updated] – In what has to be one of the very worst moves in Internet history, Adobe Digital Editions 4 now tracks every book you read and send that information IN PLAIN TEXT back to Adobe. That’s right folks: Adobe is massively violating your privacy by keeping track of what you read, then further imperiling your security by having that information travel unencrypted to spy central. There is also concern that this activity violates the Reader Privacy Act recently enacted in New Jersey. And what about epub library books, you ask?
Digital Editions (DE) has been used by many public libraries as a recommended application for patrons wanting to borrow electronic books (particularly with the Overdrive e-book lending system), because it can enforce digital rights management rules on how long a book may be read for. But DE also reports back data on e-books that have been purchased or self-published. Those logs are transmitted over an unencrypted HTTP connection back to a server at Adobe—a server with the Domain Name Service hostname “adelogs.adobe.com”—as an unencrypted file (the data format of which appears to be JSON).
The behavior is part of Adobe’s way of managing access to e-books borrowed from a library or “lent” by other users through online bookstores supporting the EPUB book format, such as Barnes & Noble. If you’ve “activated” Digital Editions with an Adobe ID, it uses that information to determine whether a book has been “locked” on another device using the same ID to read it or if the loan has expired. If the reader isn’t activated, it uses an anonymous unique ID code generated for each DE installation. –Ars Technica
Adobe Confirms It’s Gathering Ebook Readers’ Data – I know you didn’t think it could get any worse, but, alas, it does. Adobe tries to explain itself, and when Nate Hoffelder informs Adobe that ADE 4 is not only tracking epub books, but his whole digital book library, Adobe reiterates its original statement:
Reached for comment, Adobe confirms that those data gathering practices are indeed in place. “Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them,” Adobe said in a statement this afternoon. The statement continues:
“All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers. Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy.” –Digital Book World
Adobe Digital Editions 3 Probably Safe From Adobe’s Spying, Experts Say – Nate Hoffelder, who broke this story originally, reports that earlier versions of ADE do not appear to be prying into your private reading habits. You can check out this article and the others he wrote to see how both he and Ars Technica confirmed that Adobe is sending your info in plain text back to spy central. Hoffelder suggests that if you want to avoid Adobe altogether (and how many of you are ripping that software from your computer as I write this?), you can try a reader program like Bluefire.
I have followed up on this story and looked into the earlier versions of Digital Editions, just to see how long Adobe may have been spying on users. After testing DE2 and DE3 I can report, and others can confirm, that neither app appears to be tracking my reading habits nor uploading details about my ebook library.
The older apps do send some information to Adobe, but the data packet is small enough that it can’t hold much more than info required to authorize the DRM. So if you need one of Adobe’s apps, you do have safer options than DE4. –The Digital Reader
E-Reader Privacy Chart, 2012 Edition – Although it’s from 2012, EFF has a handy chart that looks at Google Books, Kindle, Nook, Kobo, Sony, OverDrive, IndieBound, the Internet Archive, and Adobe Content Server, to determine what information each application can and cannot monitor, track, and share, along with assessing compatibility with digital books purchased elsewhere. Right now it may be especially handy. –Electronic Frontier Foundation
I haven’t upgraded my version of Adobe DE since I updated to 2.1 ages ago and I’m not planning to ever do so if I can possibly avoid it. Apart from the privacy concerns, the new ADE could bring problems re their new DRM. Adobe suck.
This is a real invasion of privacy.
If Adobe are scanning your hard drive and Calibre library etc, are they also scanning your non-ebook PDF or Word documents that could contain sensitive information?
Exactly *what* is being gathered and uploaded **unencrypted** FFS?
Has anyone ever read the stupid EULA?
My hard drive feels dirty :(
I have Overdrive on my Kindle Fire.
Just how much does Adobe know about me now? Is it sending data back even though I haven’t borrowed a book from my local library in months?
What does “other digital publications” mean??? My browsing history from Silk? My stored passwords for Facebook/Reddit/Gmail, that I used for everything/MY BANKING ACCOUNT???? Actually my bank’s website doesn’t allow stored user id/password – but I have accessed my account from my Fire.
I swear I’m not Chicken Little when it comes to “the hacker known as 4Chan” (lol) and none of their goddamn business information grabs from companies – but this one, Adobe DE, is beyond the pale.
Does the ADE news apply to ADE-authorized reading apps too, like Mantano and Bluefire?
I’ve never used Adobe DE to read books, but I’ve used it to download DRM books to my computer to side load. I had an old version of DE on my old computer, but I’ve been putting off installing DE on my new computer because of all the concerns with DE 4.
I was under the impression that I had to use DE to download a DRM book, from say ARe, to my Mac laptop for side loading. Are there alternatives? I use Bluefire on my phone – can I use it on my MacBook Pro instead of DE? I’d love to see a technology post on alternatives to DE.
I was under the impression that I had to use DE to download a DRM book, from say ARe, to my Mac laptop for side loading. Are there alternatives? I’d love to see a technology post on alternatives to DE.
This.
What I can’t tell from these articles and would love to know:
1. Is this limited to books read *in ADE* or when they are read after sideloading, assuming the device later checks in with ADE?
2. Does this affect books that are in ADE because a user is using it to manage an ebook library, as opposed to books that are in ADE merely to manage the digital rights?
My library is very explicit that they do not retain data from my library card tree book check outs. If they do not have the data, then it cannot be subpoenaed. I was cautious using Kindle for library books, as they clearly kept the data. But ADE is over the top. Keeping the data, no security on the data, AND being secret about it?
I do side load all of my books, using Calibre. I did so, thinking it would keep my reading and page counts slightly more confidential. But it sounds like the new ADE is gobbling that data as well.
Based on how Calibre behaves, I sincerely doubt that DE is reading your Calibre library. Also, according to my public library’s website, DE is required to open and access all books borrowed from the system’s ebook library that aren’t already loaded onto borrowable Nook devices. I never upgraded my DE to 4 simply because I didn’t know there was a new edition and my copy of 3 works fine for everything I use it for. It’s bad form of Adobe, yeah, but considering all the things Microsoft, Amazon, and other software companies collect from people I’m not surprised their doing it only that it’s unencrypted.
@Kaetrin:
Ditto, ditto, ditto!
When I had to re-do my machine, I specifically sought out the ADE 2.x because I’d heard horror stories about 3. Now I am even more glad that I did so, the more I read about 4. This is awful.
@cleo: @Willa: You can still download Adobe DE 2.0 from here
http://www.adobe.com/support/digitaleditions/downloads.html
No spying in 2.0.
I just had to go check which version I have – thankfully it’s Adobe DE 2.0.
I’d also like a post on various other options to ADE. I download some of my NetGalley and library books to ADE and if there are different options I’d love to know about them.
The question is if the book has ADE DRM or not. Books without DRM can go directly to Calibre or a reading app. Books with ADE DRM need to go through ADE. Overdrive will specify if a book is open ePub or not.
Just to be clear, Nate Hoffelder is stating that ADE was gathering his metadata from Calibre.
@Emily – in the comments to the Arstechnica article, the editor stated that DE wasn’t scanning the other epub files on the computer only those in the DE library. So there’s either a miscommunication or scaremongering going on or both.
@Kaetrin: Thanks for that – have just checked and I have Version 2! YaY!
Commenters on Mobileread also mention that it’s been proven that ADE will also scan the entire drive of any attached eBook reader (did not specify if that would include a tablet) when ADE is opened.
If I remember correctly, this cleared up one of the issues with Nate’s original posts that it appeared to be scanning his entire hard drive. He knew the books weren’t in ADE, but they were in the unencrypted text file. They’ve confirmed the text file also contained info on every book on the reader.
There still appears to be a question about the Calibre files on his hard drive – it’s not been reproduced as of the last time I read through the thread.
Like Cleo and the other Willa, I don’t see a way to *not* use ADE if I buy DRM’d books. I have an old version of ADE, but still don’t like this one bit.
I completely agree, Willaful.
For some time now I have been aware that every time I connect the Kindle to my PC for any purpose, including charging, it creates a hidden text file listing all the titles in my Calibre library, including information on their DRM status, so this report is not really a surprise. I have been in touch with two tech journalists about the invasion of privacy this involves, but nobody seems concerned. I certainly am.
It seems naive to assume the file is not passed on if and when the Kindle calls home (which it now never does). I have now picked up an e-reader without wifi (a dying breed) to ensure reading privacy.
@Merrylon: I’m concerned about this information about kindle. Can you point me to somewhere that will show me how to see this hidden text file? I assumed of course that the kindle was reporting on my reading kindle books, but checking my calibre library…
In Folder Management, you need to set your PC to show hidden files (i.e. change the default). And there they are… (In fact two are produced; the list can be opened and is self-explanatory. I’m not sure about the purpose of the other).
Merrylon, are you saying the file is created on your computer or in the Kindle device folder when you plug it in? I have a Mac, so I’m not sure where to look.
@Willaful @Merrylon: I’m seeing on my kindle when I plug it into my PC two files called driveinfo.calibre and metadata.calibre. I can’t open them though. Is this what we’re talking about? (Thanks for the tip about how to see hidden files.)
As I understand it, driveinfo.calibre and metadata.calibre are files written *by Calibre* on your ereader, when you transfer files to your e-reader using calibre. It’s how Calibre manages sideloading and detecting what books you have on the device. I suppose that Amazon could access this data when the Kindle phones home, but I’ve already assumed that Amazon could access this data since it’s on the Kindle.
@ Joy — thank you for the additional info. It makes me feel slightly less paranoid (though I don’t actually use Calibre for side-loading).
@ Maria F — I just open them with Notepad
@Joy @Merrylon thanks!